Auditing system guards DMS

By Elizabeth Sikorovsky

Jan 21, 1996

As part of a ground-breaking computer security plan, the Defense Information Systems Agency plans to build a $200 million global auditing system to protect the Defense Message System from skyrocketing numbers of network attacks.

DISA now depends on network and security administrators in the field to detect and react to intrusions on Defense Department computer systems. Under the new plan approved last month, DISA would establish a control center to monitor all major switches and routers in the Defense Information Infrastructure.

"The way we have operated traditionally has been almost all reactive," said Robert Ayers, head of the DISA Defensive Information Warfare Division. Currently, Ayers said, DISA's Automated Systems Security Incident Support Team "gets a call after something has happened. The way we're going to be operating in the future is to work in real-time detection."

Real-time detection and reaction is a major thrust of the plan to improve computer security throughout the agency that will significantly strengthen "defensive information warfare" capabilities throughout DMS and parts of DOD.

The plan, to be released publicly within the next two months, will be funded out of the $1.95 billion Center for Information Systems Security Infosec Technical Services contract, jointly held by Computer Sciences Corp., Science Applications International Corp. and Merdan Group Inc.

DISA has found that users in the field detect and report only a fraction of the intrusions that actually occur. Of more than 7,800 successful mock attacks launched by DISA, less than 5 percent were detected, and less than 5 percent of those detected were reported.

Under the new DISA project, scheduled to go into effect in fiscal 1997, DMS and some other DOD networks would run security auditing systems that would feed real-time audit streams to regional monitoring centers. These regional centers would then feed real-time audit streams to a single global monitoring center at DISA. As a result, individual network administrators would have more tools to detect intrusions. At the same time, DISA would receive real-time, high-level auditing data.

"We're going to integrate our audit mechanisms so we can maintain an integrated view of the Defense Information Infrastructure," Ayers said, "and put in place an automated infrastructure management system that will allow us to flexibly manage our operational response."

In addition to detecting intrusions, the new systems would react to intrusions. Systems would be equipped to deny service to suspected intruders and to warn administrators and the global control center.

"It really is exciting," Ayers said. "I believe the commitment that DISA has made to this process is unprecedented. It's a combination of dollars and leadership."

To carry out the plan, Ayers said DISA will select a commercial software auditing package and then tailor it to match its needs. The software will be ported to numerous operating systems. More federal computer security administrators say a centralized automated monitoring strategy offers more hope for success against system break-ins than dependence on users in the field.

He said the Air Force is pursuing a similar plan, and recently the U.S. Army 5th Signal Command computer security team, in charge of Army computer systems in Europe, installed a centralized monitoring system.

Some NASA officials are arguing for a more centralized, proactive intrusion-detection mechanism for NASA and NASA-affiliated systems.

The project poses daunting technical challenges—specifically, the integration of auditing systems across multiple platforms. For example, the 5th Signal Command had to first port all its auditing software to the many platforms the Army operates in Europe. From this, the Army created an integrated, hierarchical reporting structure that fed to a control center.

"I really believe that the majority of the problem is an integration problem. The machines themselves have the capability of auditing data, and so the challenge is normalizing them to a common format," Ayers said. "There is no capability now to take the audit data from phone systems and different types of computers, such as mainframes.

"If we are successful in developing the application, we're going to take that application to everyone in DISA," Ayers said. "We'd make it available for anyone in the Defense Department and the services."

He said DISA would rely heavily on commercial software to set up the system. "Our strategy is to identify commercial products that come closest to what we require and then to partner with industry," he said.

As a result, DISA's plan could stimulate the appearance of new commercial auditing products tailored to diverse multiplatform systems, which might appeal to other federal agencies.

The plan is part of "an overall strategy concept for how DISA will deal with defensive warfare," Ayers said.